Hi, I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the following from oracle
oracle-instantclient-basic-10.2.0.3-1 oracle-instantclient-sqlplus-10.2.0.3-1 oracle-instantclient-devel-10.2.0.3-1
These were the compile used while configure php
'./configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc' '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr' '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar' '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite' '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared' '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm' '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl' '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config' '--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl' '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared' '--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr' '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect' '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi' '--with-apxs2=/usr/sbin/apxs' '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib' '--enable-sigchild'
Compile and install was successful. Apache was not working and these are the sealert messages, i am putting here only summary, raw audit message and suggestions, which i followed in the same order below to make Apache work
1. Summary SELinux is preventing /usr/local/php-5.2.5/bin/php from loading /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text relocation.
Raw Audit Messages
avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0 exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0
chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so
2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t). Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
setsebool -P httpd_disable_trans=1
3. Summary SELinux is preventing /usr/sbin/httpd from changing the access protection of memory on the heap. Raw Audit Messages
avc: denied { execheap } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913 scontext=root:system_r:initrc_t:s0 sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0
setsebool -P allow_execheap=1
Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out any selinux issues? Is this the known issue or my procedures are wrong. I have tried compiling couple of weeks back with Red Hat ent5 php source rpms and got the same selinux errors. Any possible help to put back allow_execheap=0 httpd_disable_trans=0.
Thanks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
pselinux wrote:
Hi, I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the following from oracle
oracle-instantclient-basic-10.2.0.3-1 oracle-instantclient-sqlplus-10.2.0.3-1 oracle-instantclient-devel-10.2.0.3-1
These were the compile used while configure php
'./configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc' '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr' '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar' '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite' '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared' '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm' '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl' '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config' '--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl' '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared' '--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr' '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect' '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi' '--with-apxs2=/usr/sbin/apxs' '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib' '--enable-sigchild'
Compile and install was successful. Apache was not working and these are the sealert messages, i am putting here only summary, raw audit message and suggestions, which i followed in the same order below to make Apache work
Summary SELinux is preventing /usr/local/php-5.2.5/bin/php from loading /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text relocation.
Raw Audit Messages
avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0 exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0
chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so
- SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t). Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
setsebool -P httpd_disable_trans=1
- Summary SELinux is preventing /usr/sbin/httpd from changing the access
protection of memory on the heap. Raw Audit Messages
avc: denied { execheap } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913 scontext=root:system_r:initrc_t:s0 sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0
setsebool -P allow_execheap=1
Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out any selinux issues? Is this the known issue or my procedures are wrong. I have tried compiling couple of weeks back with Red Hat ent5 php source rpms and got the same selinux errors. Any possible help to put back allow_execheap=0 httpd_disable_trans=0.
Thanks.
Seems the oracle php applications is doing some bad things with memory. It is basically attempting to make it both writeable and executable at the same time. This can cause potential problems as described in
http://people.redhat.com/~drepper/selinux-mem.html
and
http://danwalsh.livejournal.com/16975.html
You should probably report this as a bug to oracle, and you can customize your policy to allow this access using audit2allow
# grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp
This should allow you to run these oracle apps with SELinux in enforcing mode.
Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5
with out
any selinux issues? Is this the known issue or my procedures are
wrong. I
have tried compiling couple of weeks back with Red Hat ent5 php source
rpms
and got the same selinux errors. Any possible help to put back allow_execheap=0 httpd_disable_trans=0.
Thanks.
Seems the oracle php applications is doing some bad things with memory. It is basically attempting to make it both writeable and executable at the same time. This can cause potential problems as described in
http://people.redhat.com/~drepper/selinux-mem.html
and
http://danwalsh.livejournal.com/16975.html
You should probably report this as a bug to oracle, and you can customize your policy to allow this access using audit2allow
# grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp
This should allow you to run these oracle apps with SELinux in enforcing mode.
Hi Dan, Thank you for the reply. I found this on Oracle website
------------------------------------------------------------------------ ---- 5.2 Error While Loading Shared Library When SELinux is Enforcing on Oracle Enterprise Linux 5.0 and Red Hat Enterprise Linux 5.0
SQL*Plus and Oracle Call Interface (OCI) program calls fail with SELinux in the Enforcing mode on Oracle Enterprise Linux 5.0 and Red Hat Enterprise Linux 5.0. Refer to the OracleMetaLink note 454196.1 for more details about the issue.
Workaround: Shift SELinux to Permissive mode on the system.
This issue is tracked with Oracle bugs 6140224 and 6342166. ------------------------------------------------------------------------ ----
The above comment can be found at:
http://download.oracle.com/docs/cd/B28359_01/relnotes.111/b32001/toc.htm #CJAFABGC
I don't have Oracle Meta link access to get more details.
Thanks, PH
selinux@lists.fedoraproject.org